Google Cloud Professional Cloud DevOps Engineer — Question 38

You are running an application on Compute Engine and collecting logs through Stackdriver. You discover that some personally identifiable information (PII) is leaking into certain log entry fields. All PII entries begin with the text userinfo. You want to capture these log entries in a secure location for later review and prevent them from leaking to Stackdriver Logging. What should you do?

Answer options

• A. Create a basic log filter matching userinfo, and then configure a log export in the Stackdriver console with Cloud Storage as a sink.
• B. Use a Fluentd filter plugin with the Stackdriver Agent to remove log entries containing userinfo, and then copy the entries to a Cloud Storage bucket.
• C. Create an advanced log filter matching userinfo, configure a log export in the Stackdriver console with Cloud Storage as a sink, and then configure a log exclusion with userinfo as a filter.
• D. Use a Fluentd filter plugin with the Stackdriver Agent to remove log entries containing userinfo, create an advanced log filter matching userinfo, and then configure a log export in the Stackdriver console with Cloud Storage as a sink.

Correct answer: B

Explanation

The correct answer is B because it effectively removes the sensitive PII from the logs using Fluentd before sending the entries to Cloud Storage, ensuring they are not exposed in Stackdriver Logging. Options A and C do not adequately prevent the PII from being logged at all, while D adds unnecessary complexity with an advanced log filter that is not needed for the task at hand.